Adding trusted-keys to named.conf

Mark Andrews marka at isc.org
Thu Feb 28 23:21:50 UTC 2013 

In message <512FB319.7030404 at htt-consult.com>, Robert Moskowitz writes:
> I MAY be doing something wrong, or my problem is elsewhere...
> 
> In zone htt. I have the DNSKEY RR:
> 
> htt.    IN    DNSKEY    257 3 7 
> AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi 
> NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP 
> qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w 
> Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW 
> Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD 
> 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X 
> DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w==
> 
> So in my caching server's named.conf I added at the end:
> 
> include "/etc/named.trusted.key";
> 
> and this contains:
> 
> trusted-keys {
> 
>      # DNSKEY for htt zone.
> 
> htt.    257 3 7 
> "AwEAAfEIWjDoEesqC4NLAwNFgviq+IGbUFmnFn0/2L8UvLWMjYiGFETi 
> NyA4CVaaG4GMekSJM8dI0FepyIKurxAhYzyV+phS5C6MoVmnYdF27dkP 
> qS0pFDZ/Hpp25qTrKIUjcqvxgECP1ArXa7yyE7/xWzQjH9nk5gEnad6w 
> Gy41lRnv3/UPtkxw669V2Ikb1NLAB5XnAzpTc4Tm7QPRPtbN8+FKWyYW 
> Ie9/nYKf67vSrlwbxRFbb27GeEmnrqMtsLkSFP1zDoUbmgJs3yiVjFCD 
> 8hRYlbOA9lgAMbOGm4tNsLOFx0vyBZEVtdh4l/YDAaklygtR+f60271X 
> DHWaC4U/VYrHRidg2krM+UpPhjqn3aPJFIyyKEEE66cMSlf7ROL71w==";
> 
> };
> 
> And I am still getting:
> 
> Feb 28 14:35:17 klovia named[24806]:   validating @0xb4855220: htt SOA: 
> got insecure response; parent indicates it should be secure

The forwarders are not DNSSEC enabled.  "parent" here means named.conf.
>From the recursive server run

	dig @forwarder +dnssec htt soa

This should work and have RRSIG records.  Do some other queries also
with +dnssec.  negative responses should have NSEC/NSEC3 records if
they are coming from a signed zone.
 
> The logged for starting named does have:
> 
> Feb 28 14:35:00 klovia named[24806]: managed-keys-zone ./IN: loaded 
> serial 103

managed-keys in named.conf are just the initial keys used as the
starting point for RFC 5011 style trusted key managment.  The runtime
keys are pulled from a seperate database.  That message says that
the serial number for that database is 103.

> but nothing about trusted-keys loaded.  In the 
> http://www.isc.org/software/bind/documentation/arm95 it shows the 
> trusted-keys clause before the global options.  Does order matter; it 
> seems to for ACLs?   Is there something else I am missing?
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list